VYPR
Vendor

Containerd

Products
2
CVEs
23
Across products
23
Status
Private

Products

2

Recent CVEs

23
View all 23 CVEs →
  • CVE-2026-53492higJun 19, 2026
    risk 0.38cvss epss

    ### Impact containerd's CRI implementation improperly trusts Container Device Interface (CDI) annotations found within untrusted checkpoint image metadata during container restoration. When restoring a container from a checkpoint, containerd preserves CDI-related annotations…

  • CVE-2026-53489higJun 19, 2026
    risk 0.38cvss epss

    ### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on the host via `kubectl logs`. ### Patches This bug has been fixed in the…

  • CVE-2026-53488higJun 19, 2026
    risk 0.38cvss epss

    ### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing an arbitrary command on the host, via a plugin that consumes container labels…

  • CVE-2026-46680higMay 21, 2026
    risk 0.38cvss epss 0.00

    ### Impact A bug was found in containerd where containers launched with a numeric `User` directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an `/etc/passwd` file mapping this large numeric string to root, the…

  • CVE-2026-50195Jun 19, 2026
    risk 0.00cvss epss

    ## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with permissions to create pods can use a crafted checkpoint image to force containerd…

  • CVE-2026-47262Jun 19, 2026
    risk 0.00cvss epss

    ### Impact A vulnerability in containerd allows a maliciously crafted image to cause a Denial of Service (DoS) condition. When creating a container from this image, memory exhaustion occurs, leading to an Out Of Memory (OOM) kill of the containerd process. This renders the…

  • CVE-2025-64329Nov 7, 2025
    risk 0.00cvss epss 0.00

    containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine…

  • CVE-2024-25621Nov 6, 2025
    risk 0.00cvss epss 0.00

    containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`,…

  • CVE-2025-47291May 21, 2025
    risk 0.00cvss epss 0.00

    containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes…

  • CVE-2025-47290May 20, 2025
    risk 0.00cvss epss 0.00

    containerd is a container runtime. A time-of-check to time-of-use (TOCTOU) vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could arbitrarily modify the host file system. The only affected version of…

  • CVE-2024-40635Mar 17, 2025
    risk 0.00cvss epss 0.00

    containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container…

  • CVE-2023-25173Feb 16, 2023
    risk 0.00cvss epss 0.01

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group…

  • CVE-2023-25153Feb 16, 2023
    risk 0.00cvss epss 0.00

    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of…

  • CVE-2022-23471Dec 7, 2022
    risk 0.00cvss epss 0.01

    containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails…

  • CVE-2022-31030Jun 6, 2022
    risk 0.00cvss epss 0.00

    containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume…

  • CVE-2022-24778Mar 25, 2022
    risk 0.00cvss epss 0.03

    The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether…

  • CVE-2022-23648Mar 3, 2022
    risk 0.00cvss epss 0.27

    containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration…

  • CVE-2021-43816Jan 5, 2022
    risk 0.00cvss epss 0.02

    containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount,…

  • CVE-2021-41103Oct 4, 2021
    risk 0.00cvss epss 0.00

    containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to…

  • CVE-2021-32760Jul 19, 2021
    risk 0.00cvss epss 0.02

    containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file…